Hacking from/using Avaya IP 1120E SIP Firmware

[TheMitelGuy]

Hello,

I see there was this thread opened here on Tek-Tips...

https://www.tek-tips.com/viewthread.cfm?qid=1801533

It's in regards to someone seeing an Avaya IP 1120E IP phone attempt to register to their IP Office. We are actually seeing the same thing here attempting to register (SIP) to a Mitel system. I'm just wondering if anyone else has seen this activity as well? We have confirmed with Mitel, and it does look like a hacking attempt (hundreds over the course of hours, from different DNs and different public IPs). Our captures are identical to the ones mentioned in the above thread. To us, it appears someone has hacked Avaya's 1100-series firmware and is using it to attempt to register to phone systems on the public Internet. Just wondering if anyone else has noticed this activity - we can't be alone on this.

Thanks!

 

[daken]

Not hacked phone firmware, that i'm aware of just a faked user Agent string.

I have seen active attempts to register, been seeing them for the past few years.

I have seen successful registration attempts and big bills.

The user agent string might make a difference when registering to a PBX

Please use secure user pins / phone extension passwords / user passwords

Try not to expose the sip registration ports to the internet without first thinking seriously about the security of your systems

Please do NOT expose port 7070 to untrusted locations.

https://downloads.avaya.com/css/P8/documents/101070158

 

[Okkie26]

That's where we use SBC for...